Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
d2f2c08ebeb5e226b23fbae86bc51169_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d2f2c08ebeb5e226b23fbae86bc51169_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
d2f2c08ebeb5e226b23fbae86bc51169_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
d2f2c08ebeb5e226b23fbae86bc51169
-
SHA1
ac4bbe7363aa4f1cbaa8c66818726ab13373fe09
-
SHA256
88674e9e3762f6c669a749134efc4daff5ddede1ca50d1167a216b635a2bce8d
-
SHA512
6ac6c5d00afea526c778e973f9342959ac8c4490a87dfd4347bb47e6d4539d114b5b5ce59e27db72632744b0d207199f64f013d86e716e31208c8399a8a78f06
-
SSDEEP
49152:SnAQqMSPbcBVu/1INRx+TSqTdX1HkQo6SAA:+DqPoBI1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3289) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2172 mssecsvc.exe 2056 mssecsvc.exe 2696 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC88DB52-D2B7-43F4-90FB-8B58233713DF}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC88DB52-D2B7-43F4-90FB-8B58233713DF}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC88DB52-D2B7-43F4-90FB-8B58233713DF}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-8e-25-34-68-ef\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC88DB52-D2B7-43F4-90FB-8B58233713DF}\WpadDecisionTime = 703b7bd77301db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-8e-25-34-68-ef mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC88DB52-D2B7-43F4-90FB-8B58233713DF}\e6-8e-25-34-68-ef mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC88DB52-D2B7-43F4-90FB-8B58233713DF} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-8e-25-34-68-ef\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-8e-25-34-68-ef\WpadDecisionTime = 703b7bd77301db01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1900 1700 rundll32.exe 30 PID 1700 wrote to memory of 1900 1700 rundll32.exe 30 PID 1700 wrote to memory of 1900 1700 rundll32.exe 30 PID 1700 wrote to memory of 1900 1700 rundll32.exe 30 PID 1700 wrote to memory of 1900 1700 rundll32.exe 30 PID 1700 wrote to memory of 1900 1700 rundll32.exe 30 PID 1700 wrote to memory of 1900 1700 rundll32.exe 30 PID 1900 wrote to memory of 2172 1900 rundll32.exe 31 PID 1900 wrote to memory of 2172 1900 rundll32.exe 31 PID 1900 wrote to memory of 2172 1900 rundll32.exe 31 PID 1900 wrote to memory of 2172 1900 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2f2c08ebeb5e226b23fbae86bc51169_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2f2c08ebeb5e226b23fbae86bc51169_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2172 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2696
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD53fea3a6fa33027e883f56153ba2efb7c
SHA1cb418468f681574ffda7f23869ce2108215961d5
SHA2566fd4e99f6083595256d5724c8da529945763454b0666d229ca8987702e405ec9
SHA512141a5420ea928e7088343254aaf0955e1de4572b11de8bd1b8d3745685da8b9286f28ba274faf804f5cb071c1dd16ae0ead18f0f5ae4ce2ad6e23a4b0d87b599
-
Filesize
3.4MB
MD5c703676c99b49e2f0b4b3543af5bb91b
SHA14fb551d62fc28bf553d7a9d1b3a74af40a43717b
SHA2565c5d64979714cfb92ab45357e791a8729c151b248fbe103e4c4a4b89a81e64e9
SHA5120bef8cab7ab951a5e0a6fb46aa051dbdb85e9ba05b577eff42bd0dd8d97070d24f909983368e6fd8754c49a3e8a5599ccbf213617b86fdeb9f4f1a2dd7d8dffd